In addition to DNS, there are other name resolution exploits the pen tester can use. Originally, Microsoft Windows computers did not use DNS to resolve names. They used NetBIOS Name Service (NBNS) queries. If a Microsoft WINS server or a local lmhosts text file didn't have the needed information, then the host would send out a special broadcast in the hope that the desired server would hear it and respond. Starting with Windows Vista, NetBIOS-NS was replaced with the Link-Local Multicast Name Resolution protocol. It uses multicasting rather than broadcasting, and supports both IPv4 as well as IPv6. If a client can't resolve a name using DNS, it can send out an LLMNR multicast to the local segment to try to resolve the name.
Windows computers follow a specific order to resolve names:
- Check if the destination is itself.
- Check if the name is in the DNS resolver caches already.
- Check if the name is in the %systemroot%\system32\drivers\etc\hosts file.
- Query the DNS server.
- Send an LLMNR multicast to 126.96.36.199 (IPv6 FF02::1:3), UDP port 5355.
- Send a NetBIOS name query broadcast to 255.255.255.255, UDP port 137.
It is possible to exploit name resolution at any of these levels (except the first). The attacker could:
- Poison the DNS server or client resolver cache.
- Edit the client's hosts file.
- Enable a tool to listen for LLMNR/NBNS queries and respond with itself as the desired destination. When the client then tries to connect, it prompts the user to log on based on the protocol the client is using, thus harvesting the user's credentials.
Note: Kali's responder can also listen for multicast DNS (MDNS). This is a special implementation of DNS in which the client does not need to know the IP address of the DNS server, instead sending out a multicast to 188.8.131.52 (IPv6 FF02::FB) to UDP 5353 to perform name resolution. It is used by Apple Bonjour, Avahi, and to a limited extent Android and Windows 10.
Name Resolution Attack Tools
Tools you can use to conduct name resolution attacks include:
- Kali responder
- Metasploit auxiliary/spoof/llmnr/llmnr_response